Policies that grant all permissions violate the principle of least privilege.

Why is this an issue?

Policies that grant all permissions — for example by using a wildcard (*) in the action field or by assigning an overly permissive role such as roles/owner — give an identity unrestricted access to all operations on a resource. Following the principle of least privilege, policies should grant only the minimum set of permissions required for the identity to perform its intended function. Overly permissive policies increase the risk of unintentional data modification, data exposure, or full cloud environment compromise if an identity is misused or stolen.

What is the potential impact?

Privilege escalation and data exposure

An attacker who gains control of an identity with full permissions can perform any operation on any resource, including reading, modifying, or deleting sensitive data. They can also escalate privileges by creating new identities or modifying other policies, potentially leading to a full compromise of the cloud environment.

How to fix it

Code examples

The following code grants full permissions to identities instead of limiting them to only those required.

Noncompliant code example

import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["*"], // Noncompliant
    resources: ["arn:aws:iam:::user/*"],
})

Compliant solution

import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["iam:GetAccountSummary"],
    resources: ["arn:aws:iam::123456789:user/*"],
})

Resources

Documentation

• AWS Documentation - Grant least privilege
• Google Cloud Documentation - Understanding roles

Standards

• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• CWE - CWE-284 - Improper Access Control